CVE-2026-45582 n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry...

Google Chrome’s silent 4GB AI download problem [updated]

Google Chrome has been quietly downloading a 4GB AI model onto users' devices without asking first. Security researcher Alexander Hanff, aka ThatPrivacyGuy, reports that Chrome has been silently installing Gemini Nano, Google's on-device AI model, as a file called weights.bin stored in the...

CVE-2026-24332

Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible and not actually offline because the response to a WebSocket API request includes the user in the presences array with "status": "offline", whereas offline users are omitted from the presences...

Security update for chromium (critical)

openSUSE security update: security update for chromium ------------------------------------------------------------- Announcement ID: openSUSE-SU-2025-20020-1 Rating: critical References: bsc1250472 bsc1250780 bsc1251334 Cross-References: CVE-2025-10890 CVE-2025-10891 CVE-2025-10892 CVE-2025-1120...

EUVD-2020-20386

Malware in sbrugna...

EUVD-2017-6666

Malware in sbrugna...

EUVD-2022-3328

Malicious code in bioql PyPI...

Weblate: exposure of personal IP address via email.

The exposure of personal IP addresses through email messages has been identified as a potential security issue. Email messages can pass through multiple servers, which may store or record the content, including the user's IP address, even if the email is encrypted during transit. The user's IP...

Shopify faces privacy lawsuit for collecting customer data

Shopify faces a data privacy class action lawsuit in the US that could change the way globally active companies can be held accountable. The proposed class action is a revival of a case that had been dismissed by a lower court judge and a three-judge 9th Circuit Court of Appeals panel. But now it...

openSUSE Security Advisory (SUSE-SU-2024:0893-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2024-28627

Summary: CVE-2024-28627 affects Flipsnack (version 18/03/2024) and enables a local attacker to obtain sensitive information via the reader.gz.js file. The available documents do not provide deeper root-cause details beyond this file-based exposure; no exploit vectors or in-the-wild activity are d...

Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11. The issue, dubbed aCropalypse, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that m...

Recovering Real Faces from Face-Generation ML System

New paper: "This Person Probably Exists. Identity Membership Attacks Against GAN Generated Faces. Abstract: Recently, generative adversarial networks GANs have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website http://thispersondoesnotexist.com,...

Nextcloud: Default settings leak federated cloud id to lookup server of all users

So with the default settings Nextcloud still sends requests to the lookup server if users update their profile. Even if none of the fields are set to 'published'. I must admit this is somewhat of a surprise as there is no reason for this. As long as the visibility of none of the fields change and...

Nextcloud: Nextcloud update checks leaks information

Hi, I think this is more of a privacy concern than a security concern. However I wanted to check here first. Please direct me to an other suitable location if needed. It is in relation to https://github.com/nextcloud/server/blob/master/lib/private/Updater/VersionCheck.phpL78 This is sending sever...

Facebook: Stolen Data Scraped from Platform in 2019

The leak of personal data from more than 533 million Facebook users was scraped from their profiles by malicious actors because of a security flaw in the company’s platform prior to September 2019, the social media giant said Tuesday. Threat actors posted that data to a public hacker forum over t...

HackerOne: Hackerone is not properly deleting user id

Summary: Long ago, i had an account on hackerone that is now deleted. I used the alias email provided by h1 to sigbup on a site for bug testing. To my surprise, i receive an email to my account routed from an alias email that should not exist. Description: Steps To Reproduce 1. SignUp on H1 2. Us...

US firm accused of secretly installing location tracking SDK in mobile apps

By Zara Khan AUS government contractor 'Anomaly Six' has location tracking software hidden in more than 500 mobile apps. This is a post from HackRead.com Read the original post: US firm accused of secretly installing location tracking SDK in mobile apps...

Collecting and Selling Mobile Phone Location Data

The Wall Street Journal has an article about a company called Anomaly Six LLC that has an SDK that's used by "more than 500 mobile applications." Through that SDK, the company collects location data from users, which it then sells. Anomaly Six is a federal contractor that provides...

Snapchat: CreatorID leaked from public content posted to SnapMaps

TL;DR - the Snap Map media responses unnecessarily return a creatorId. The creator's Snap username cannot be immediately derived from creatorId, but users can use the creatorId to correlate multiple public snaps with that creator. The impact is limited by the fact that all Our Story Snaps that...